The Federal Trade Commission has announced a settlement with LightYear Dealer Technologies, LLC, doing business as DealerBuilt, a company that sells software and data services to auto dealers. The FTC alleged that DealerBuilt’s poor data security practices resulted in a breach that exposed the personal information of millions of consumers. A hacker gained unauthorized access to the data of millions of consumers during at least a 10-day period and downloaded the data of 69,283 individuals. DealerBuilt’s customer base is comprised of nearly 320 dealership locations across the country.
The FTC’s complaint against DealerBuilt alleged that its failures led to a breach of the company’s backup systems, allowing a hacker to gain access to the unencrypted personal information of about 12.5 million consumers, including their Social Security numbers, driver’s license numbers, and birth dates, as well as wage and financial information. DealerBuilt, however, did not detect the breach until it was notified by one of its auto dealer customers. The FTC’s complaint states that the company never performed any vulnerability scanning, penetration testing, or other measures that would have detected the problem. The FTC further alleges that DealerBuilt failed to implement reasonable data security practices to protect personal data stored on its network such as developing, implementing, or maintaining a written information security policy and training for employees; using security measures to monitor its systems and assets; and imposing reasonable data access controls. The FTC alleges that DealerBuilt’s failures resulted in violations of both the FTC Act and the Gramm-Leach-Bliley Act’s Safeguards Rule.
DealerBuilt’s settlement with the FTC requires the company to put into place an information security program with certain required elements, and provides insight into the type of program that the FTC expects every company to have in place. FTC Chairman Joe Simon was quoted in the announcement of the settlement and explained that the settlement reflects a new benchmark in the agency’s data security orders: “Today’s announcement reflects additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices.” While the FTC’s order is detailed, its provisions are not ground-breaking and are recitations of what a company’s information security program ideally should already have in place.
The FTC’s settlement requires DealerBuilt’s information security program to satisfy certain minimum requirements, including:
- Documenting in writing the content, implementation, and maintenance of the information security program (a basic requirement already required in other contexts);
- Providing the written program and any evaluations thereof or updates thereto to the board of directors or other governing body at least once every twelve months and promptly after an incident;
- Designating a qualified employee or employees to coordinate and be responsible for the information security program;
- Assessing and documenting, at least once every twelve months and promptly following an incident, internal and external risks to the security, confidentiality, or integrity of personal information that could result in the unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of such information;
- Designing, implementing, maintaining, and documenting safeguards that control for the internal and external risks identified to the security, confidentiality, or integrity of personal information identified in response annual assessments. Safeguards must also include annual employee training, encryption of Social Security numbers and financial account information, and maintaining policies and procedures to ensure the security of the company’s network devices;
- Assessing, at least once every twelve months and promptly following an incident, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of personal information, and modify the information security program based on the results;
- Testing and monitoring the effectiveness of the safeguards at least once every twelve months and promptly following an incident, and modifying the information security program based on the results;
- Selecting and retaining service providers capable of safeguarding personal information they access through or receive from the company, and contractually requiring service providers to implement and maintain safeguards for personal information; and
- Evaluating and adjusting the information security program in light of any changes to the company’s operations or business arrangements, an incident, or any other circumstances that the company knows or has reason to know may have an impact on the effectiveness of the information security program. DealerBuilt is required to evaluate the information security program at least once every twelve months. The settlement, too, can be viewed as a warning to companies engaging in the business-to-business processing of consumer information, given that it represents an expansion of the scope of the FTC’s Gramm-Leach-Bliley Act enforcement activities. The FTC appears to be renewing its focus on supply chain security risks by defining broadly what a “financial institution” subject to the GLBA Safeguards and Privacy Rules is.
- The proposed settlement also requires DealerBuilt to obtain third-party assessments of its information security program every two years for a twenty-year period. The third-party assessor must conduct independent sampling, employee interviews, and document review, and use these in developing conclusions related to its assessments. A senior corporate manager responsible for overseeing DealerBuilt’s information security program must also certify compliance with the order annually. Finally, the FTC is given authority to approve the assessor selected.
DealerBuilt’s settlement with the FTC should be viewed as a useful guide to what the agency’s data security orders require and, more importantly, to what the agency expects from all companies—including financial services companies that themselves do not directly interact with consumers—even outside a settlement context, to protect data privacy. In light of this, information security officers should consider reviewing their companies’ information security programs against the backdrop of the DealerBuilt settlement.